[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Mode-Config Questions

To: "'Tylor Allison'" <allison@securecomputing.com>, <ietf-ipsra@vpnc.org>, <ipsec@lists.tislabs.com>
Subject: RE: Mode-Config Questions
From: "Bernard Aboba" <aboba@internaut.com>
Date: Mon, 1 May 2000 09:38:33 -0700
Importance: Normal
In-Reply-To: <Pine.GSO.4.21.0004281557210.540-100000@stpsowk45.sctc.com>
Reply-To: <aboba@internaut.com>
Sender: owner-ipsec@lists.tislabs.com

A recent mail to the DHC list from Bernie Volz (Process
Software). The bottom line appears to be that renewing
the lease is problematic since under RFC 2131 the DHCP
server will ignore the giaddr field if the VPN server
filled it in, and send the DHCPACK directly to the client,
which will not be expecting it.

-----Original Message-----
From: owner-dhcp-v4@bucknell.edu [mailto:owner-dhcp-v4@bucknell.edu]On
Behalf Of Bernie Volz
Sent: Monday, May 01, 2000 8:45 AM
To: DHCPv4 discussion list
Cc: DHCP-V4@bucknell.edu
Subject: RE: Relayed lease extension


Barr:

>This set-up might be used in other instances where the end-client never
>gets an address via DHCP itself (if I recall, PPP sends it in the inital
>negotiation to the client and thus the client isn't running DHCP at
>all). If the BigBox gets the lease on the address for a shorter time
>than the client is connected, it will need to renew the lease and hence
>the situation Wim is looking at.
>
>...Bernie, did you really mean to say that?  It seems to me that in the
case
>you describe, BigBox (and NOT its downstream client) is the host known to a
>DHCP server as the DHCP client.  If you are suggesting a different
>interpretation, such as BigBox acting as proxy for its client, then the
>protocol may not adequately cover all implementation cases.

For renewals, how are they handled? The renewal is sent by BigBox with
the client's IP address. If the response is send back to the client's
IP address, then either:
a) BigBox must take steps to prevent it from going to the client and
intercept it.
b) The renewal will go directly to the client and in the case of PPP
where the client isn't running DHCP, it will not have the desired
effect.

Since the original lease was done by BigBox on behalf of the client, the
renewal must also be done by BigBox on behalf of the client.

- Bernie


-----Original Message-----
From: owner-ietf-ipsra@mail.vpnc.org
[mailto:owner-ietf-ipsra@mail.vpnc.org]On Behalf Of Tylor Allison
Sent: Friday, April 28, 2000 2:52 PM
To: ietf-ipsra@vpnc.org; ipsec@lists.tislabs.com
Subject: Mode-Config Questions


For those of you who have implemented Mode-Config, I have a few
questions...

o   First of all, Mode-Config allows a client to request the IP addresses
    of DHCP Servers from the edge device.  Is it expected that once the
    client has obtained it's address via Mode-Config, that it will then
    use DHCP to manage that address (DHCP lease renewal)?  Or is it
    expected that the client will contact the DHCP for network parameters
    not supplied via mode-config (via DHCP inform)?

o   Assuming that the client does not manage it's dynamically-assigned IP
    address via DHCP, how and when does lease expiration get handled?  The
    mode-config draft mentions that the IP address is valid until the
    expiry time defined via the INTERNAL_ADDRESS_EXPIRY attribute, or until
    the ISAKMP SA expires.  Is it the client's responsibility to recognize
    lease expiration, and to perform a new mode-config exchange?  Can the
    edge-device force a new mode-config exchange via a SET/ACK protocol to
    extend the lease?

o   Finally, I'd be very interested in hearing anyone's thoughts on
    implementing mode-config for a gateway application.  In particular, is
    the typical method to implement a thin DHCP client interface within the
    gateway's ISAKMP server to interact with a separate DHCP server behind
    the gateway?  Or are people just implementing a private pool of
    addresses within ISAKMP?

    From my understanding of the DHCP standard, there are problems with
    having ISAKMP act as a DHCP client on behalf of the remote VPN client.
    This is especially true with the renewal of IP address leases, which
    requires the server to unicast replies back to the client address for
    which the lease is being renewed.  Just wondering if anyone has tackled
    these issues already... or if there is documentation out there which
    discusses solutions.

I've searched the archives, and really didn't find anything relating to
these questions... but if this has been previously discussed, could someone
point me to the thread.

Thanks in advance.

---
Tylor Allison         tylor_allison@securecomputing.com
Secure Computing Corporation

Prev by Date: Query : CA related
Next by Date: IPsec or IPSec?
Prev by thread: Query : CA related
Next by thread: IPsec or IPSec?
Index(es):
- Main
- Thread